identity

package
v0.16.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 30, 2019 License: AGPL-3.0 Imports: 29 Imported by: 0

Documentation

Index

Constants

View Source
const (
	NoCertNoKey = TLSFilesStatus(iota)
	CertNoKey
	NoCertKey
	CertKey
)

Four possible outcomes for four files

Variables

View Source
var (
	// ErrZeroBytes is returned for zero slice
	ErrZeroBytes = errs.New("byte slice was unexpectedly empty")
)
View Source
var (

	// Error is a pkg/identity error
	Error = errs.Class("identity error")
)

Functions

func GenerateKey

func GenerateKey(ctx context.Context, minDifficulty uint16, version storj.IDVersion) (
	k crypto.PrivateKey, id storj.NodeID, err error)

GenerateKey generates a private key with a node id with difficulty at least minDifficulty. No parallelism is used.

func GenerateKeys

func GenerateKeys(ctx context.Context, minDifficulty uint16, concurrency int, version storj.IDVersion, found GenerateCallback) (err error)

GenerateKeys continues to generate keys until found returns done == false, or the ctx is canceled.

func NodeIDFromCert added in v0.9.0

func NodeIDFromCert(cert *x509.Certificate) (id storj.NodeID, err error)

NodeIDFromCert looks for a version in an ID version extension in the passed cert and then calculates a versioned node ID using the certificate public key. NB: `cert` would typically be an identity's certificate authority certificate.

func NodeIDFromCertPath

func NodeIDFromCertPath(certPath string) (storj.NodeID, error)

NodeIDFromCertPath loads a node ID from a certificate file path.

func NodeIDFromKey

func NodeIDFromKey(k crypto.PublicKey, version storj.IDVersion) (storj.NodeID, error)

NodeIDFromKey calculates the node ID for a given public key with the passed version.

func NodeIDFromPEM

func NodeIDFromPEM(pemBytes []byte) (storj.NodeID, error)

NodeIDFromPEM loads a node ID from certificate bytes.

func ToChains

func ToChains(chains ...[]*x509.Certificate) [][]*x509.Certificate

ToChains takes a number of certificate chains and returns them as a 2d slice of chains of certificates.

Types

type CASetupConfig

type CASetupConfig struct {
	VersionNumber  uint   `default:"0" help:"which identity version to use (0 is latest)"`
	ParentCertPath string `help:"path to the parent authority's certificate chain"`
	ParentKeyPath  string `help:"path to the parent authority's private key"`
	CertPath       string `help:"path to the certificate chain for this identity" default:"$IDENTITYDIR/ca.cert"`
	KeyPath        string `help:"path to the private key for this identity" default:"$IDENTITYDIR/ca.key"`
	Difficulty     uint64 `help:"minimum difficulty for identity generation" default:"30"`
	Timeout        string `help:"timeout for CA generation; golang duration string (0 no timeout)" default:"5m"`
	Overwrite      bool   `help:"if true, existing CA certs AND keys will overwritten" default:"false" setup:"true"`
	Concurrency    uint   `help:"number of concurrent workers for certificate authority generation" default:"4"`
}

CASetupConfig is for creating a CA

func (CASetupConfig) Create

func (caS CASetupConfig) Create(ctx context.Context, logger io.Writer) (*FullCertificateAuthority, error)

Create generates and saves a CA using the config

func (CASetupConfig) FullConfig

func (caS CASetupConfig) FullConfig() FullCAConfig

FullConfig converts a `CASetupConfig` to `FullCAConfig`

func (CASetupConfig) Status

func (caS CASetupConfig) Status() (TLSFilesStatus, error)

Status returns the status of the CA cert/key files for the config

type Config

type Config struct {
	CertPath string `help:"path to the certificate chain for this identity" default:"$IDENTITYDIR/identity.cert" user:"true"`
	KeyPath  string `help:"path to the private key for this identity" default:"$IDENTITYDIR/identity.key" user:"true"`
}

Config allows you to run a set of Responsibilities with the given identity. You can also just load an Identity from disk.

func (Config) Load

func (ic Config) Load() (*FullIdentity, error)

Load loads a FullIdentity from the config

func (Config) PeerConfig

func (ic Config) PeerConfig() *PeerConfig

PeerConfig converts a Config to a PeerConfig

func (Config) Save

func (ic Config) Save(fi *FullIdentity) error

Save saves a FullIdentity according to the config

func (Config) SaveBackup

func (ic Config) SaveBackup(fi *FullIdentity) error

SaveBackup saves the certificate of the config with a timestamped filename

type FullCAConfig

type FullCAConfig struct {
	CertPath string `help:"path to the certificate chain for this identity" default:"$IDENTITYDIR/ca.cert"`
	KeyPath  string `help:"path to the private key for this identity" default:"$IDENTITYDIR/ca.key"`
}

FullCAConfig is for locating a CA certificate and it's private key

func (FullCAConfig) Load

Load loads a CA from the given configuration

func (FullCAConfig) PeerConfig

func (fc FullCAConfig) PeerConfig() PeerCAConfig

PeerConfig converts a full ca config to a peer ca config

func (FullCAConfig) Save

Save saves a CA with the given configuration

func (FullCAConfig) SaveBackup

func (fc FullCAConfig) SaveBackup(ca *FullCertificateAuthority) error

SaveBackup saves the certificate of the config wth a timestamped filename

type FullCertificateAuthority

type FullCertificateAuthority struct {
	RestChain []*x509.Certificate
	// Cert is the x509 certificate of the CA
	Cert *x509.Certificate
	// The ID is calculated from the CA public key.
	ID storj.NodeID
	// Key is the private key of the CA
	Key crypto.PrivateKey
}

FullCertificateAuthority represents the CA which is used to author and validate full identities

func FullCertificateAuthorityFromPEM

func FullCertificateAuthorityFromPEM(chainPEM, keyPEM []byte) (*FullCertificateAuthority, error)

FullCertificateAuthorityFromPEM loads a FullIdentity from a certificate chain and private key PEM-encoded bytes.

func NewCA

func NewCA(ctx context.Context, opts NewCAOptions) (_ *FullCertificateAuthority, err error)

NewCA creates a new full identity with the given difficulty

func (*FullCertificateAuthority) AddExtension

func (ca *FullCertificateAuthority) AddExtension(exts ...pkix.Extension) error

AddExtension adds extensions to certificate authority certificate. Extensions are serialized into the certificate's raw bytes and it is re-signed by itself.

func (*FullCertificateAuthority) Chain

func (ca *FullCertificateAuthority) Chain() []*x509.Certificate

Chain returns the CA's certificate chain

func (*FullCertificateAuthority) NewIdentity

func (ca *FullCertificateAuthority) NewIdentity(exts ...pkix.Extension) (*FullIdentity, error)

NewIdentity generates a new `FullIdentity` based on the CA. The CA cert is included in the identity's cert chain and the identity's leaf cert is signed by the CA.

func (*FullCertificateAuthority) PeerCA

PeerCA converts a FullCertificateAuthority to a PeerCertificateAuthority

func (*FullCertificateAuthority) RawChain

func (ca *FullCertificateAuthority) RawChain() [][]byte

RawChain returns the CA's certificate chain as a 2d byte slice

func (*FullCertificateAuthority) RawRestChain

func (ca *FullCertificateAuthority) RawRestChain() [][]byte

RawRestChain returns the "rest" (excluding `ca.Cert`) of the certificate chain as a 2d byte slice

func (*FullCertificateAuthority) Revoke

func (ca *FullCertificateAuthority) Revoke() error

Revoke extends the certificate authority certificate with a certificate revocation extension.

func (*FullCertificateAuthority) Sign

Sign signs the passed certificate with ca certificate

func (*FullCertificateAuthority) Version added in v0.9.0

func (ca *FullCertificateAuthority) Version() (storj.IDVersion, error)

Version looks up the version based on the certificate's ID version extension.

type FullIdentity

type FullIdentity struct {
	RestChain []*x509.Certificate
	// CA represents the peer's self-signed CA. The ID is taken from this cert.
	CA *x509.Certificate
	// Leaf represents the leaf they're currently using. The leaf should be
	// signed by the CA. The leaf is what is used for communication.
	Leaf *x509.Certificate
	// The ID taken from the CA public key.
	ID storj.NodeID
	// Key is the key this identity uses with the leaf for communication.
	Key crypto.PrivateKey
}

FullIdentity represents you on the network. In addition to a PeerIdentity, a FullIdentity also has a Key, which a PeerIdentity doesn't have.

func FullIdentityFromPEM

func FullIdentityFromPEM(chainPEM, keyPEM []byte) (*FullIdentity, error)

FullIdentityFromPEM loads a FullIdentity from a certificate chain and private key PEM-encoded bytes.

func NewFullIdentity

func NewFullIdentity(ctx context.Context, opts NewCAOptions) (*FullIdentity, error)

NewFullIdentity creates a new ID for nodes with difficulty and concurrency params.

func (*FullIdentity) Chain

func (fi *FullIdentity) Chain() []*x509.Certificate

Chain returns the Identity's certificate chain

func (*FullIdentity) PeerIdentity

func (fi *FullIdentity) PeerIdentity() *PeerIdentity

PeerIdentity converts a FullIdentity into a PeerIdentity

func (*FullIdentity) RawChain

func (fi *FullIdentity) RawChain() [][]byte

RawChain returns all of the certificate chain as a 2d byte slice

func (*FullIdentity) RawRestChain

func (fi *FullIdentity) RawRestChain() [][]byte

RawRestChain returns the rest (excluding leaf and CA) of the certificate chain as a 2d byte slice

func (*FullIdentity) Version added in v0.9.0

func (fi *FullIdentity) Version() (storj.IDVersion, error)

Version looks up the version based on the certificate's ID version extension.

type GenerateCallback

type GenerateCallback func(crypto.PrivateKey, storj.NodeID) (done bool, err error)

GenerateCallback indicates that key generation is done when done is true. if err != nil key generation will stop with that error

type ManageableFullIdentity

type ManageableFullIdentity struct {
	*FullIdentity
	CA *FullCertificateAuthority
}

ManageableFullIdentity is a `FullIdentity` and its corresponding `FullCertificateAuthority` in a single struct. It is used for making changes to the identity that require CA authorization and the leaf private key; e.g. revoking a leaf cert (private key changes).

func NewManageableFullIdentity

func NewManageableFullIdentity(ident *FullIdentity, ca *FullCertificateAuthority) *ManageableFullIdentity

NewManageableFullIdentity returns a manageable identity given a full identity and a full certificate authority.

func (*ManageableFullIdentity) Revoke

func (manageableIdent *ManageableFullIdentity) Revoke() error

Revoke extends the CA certificate with a certificate revocation extension.

type ManageablePeerIdentity

type ManageablePeerIdentity struct {
	*PeerIdentity
	CA *FullCertificateAuthority
}

ManageablePeerIdentity is a `PeerIdentity` and its corresponding `FullCertificateAuthority` in a single struct. It is used for making changes to the identity that require CA authorization; e.g. adding extensions.

func NewManageablePeerIdentity

func NewManageablePeerIdentity(ident *PeerIdentity, ca *FullCertificateAuthority) *ManageablePeerIdentity

NewManageablePeerIdentity returns a manageable identity given a full identity and a full certificate authority.

func (*ManageablePeerIdentity) AddExtension

func (manageableIdent *ManageablePeerIdentity) AddExtension(ext ...pkix.Extension) error

AddExtension adds extensions to the leaf cert of an identity. Extensions are serialized into the certificate's raw bytes and is re-signed by it's certificate authority.

type NewCAOptions

type NewCAOptions struct {
	// VersionNumber is the IDVersion to use for the identity
	VersionNumber storj.IDVersionNumber
	// Difficulty is the number of trailing zero-bits the nodeID must have
	Difficulty uint16
	// Concurrency is the number of go routines used to generate a CA of sufficient difficulty
	Concurrency uint
	// ParentCert, if provided will be prepended to the certificate chain
	ParentCert *x509.Certificate
	// ParentKey ()
	ParentKey crypto.PrivateKey
	// Logger is used to log generation status updates
	Logger io.Writer
}

NewCAOptions is used to pass parameters to `NewCA`

type PeerCAConfig

type PeerCAConfig struct {
	CertPath string `help:"path to the certificate chain for this identity" default:"$IDENTITYDIR/ca.cert"`
}

PeerCAConfig is for locating a CA certificate without a private key

func (PeerCAConfig) Load

Load loads a CA from the given configuration

func (PeerCAConfig) Save

Save saves a peer CA (cert, no key) with the given configuration

func (PeerCAConfig) SaveBackup

func (pc PeerCAConfig) SaveBackup(ca *PeerCertificateAuthority) error

SaveBackup saves the certificate of the config wth a timestamped filename

type PeerCertificateAuthority

type PeerCertificateAuthority struct {
	RestChain []*x509.Certificate
	// Cert is the x509 certificate of the CA
	Cert *x509.Certificate
	// The ID is calculated from the CA public key.
	ID storj.NodeID
}

PeerCertificateAuthority represents the CA which is used to validate peer identities

func PeerCertificateAuthorityFromPEM

func PeerCertificateAuthorityFromPEM(chainPEM []byte) (*PeerCertificateAuthority, error)

PeerCertificateAuthorityFromPEM loads a FullIdentity from a certificate chain and private key PEM-encoded bytes.

type PeerConfig

type PeerConfig struct {
	CertPath string `help:"path to the certificate chain for this identity" default:"$IDENTITYDIR/identity.cert" user:"true"`
}

PeerConfig allows you to interact with a peer identity (cert, no key) on disk.

func (PeerConfig) Load

func (ic PeerConfig) Load() (*PeerIdentity, error)

Load loads a PeerIdentity from the config

func (PeerConfig) Save

func (ic PeerConfig) Save(peerIdent *PeerIdentity) error

Save saves a PeerIdentity according to the config

func (PeerConfig) SaveBackup

func (ic PeerConfig) SaveBackup(pi *PeerIdentity) error

SaveBackup saves the certificate of the config with a timestamped filename

type PeerIdentity

type PeerIdentity struct {
	RestChain []*x509.Certificate
	// CA represents the peer's self-signed CA.
	CA *x509.Certificate
	// Leaf represents the leaf they're currently using. The leaf should be
	// signed by the CA. The leaf is what is used for communication.
	Leaf *x509.Certificate
	// The ID taken from the CA public key.
	ID storj.NodeID
}

PeerIdentity represents another peer on the network.

func PeerIdentityFromChain added in v0.9.0

func PeerIdentityFromChain(chain []*x509.Certificate) (*PeerIdentity, error)

PeerIdentityFromChain loads a PeerIdentity from an identity certificate chain.

func PeerIdentityFromContext

func PeerIdentityFromContext(ctx context.Context) (*PeerIdentity, error)

PeerIdentityFromContext loads a PeerIdentity from a ctx TLS credentials.

func PeerIdentityFromPEM

func PeerIdentityFromPEM(chainPEM []byte) (*PeerIdentity, error)

PeerIdentityFromPEM loads a PeerIdentity from a certificate chain and private key PEM-encoded bytes.

func PeerIdentityFromPeer

func PeerIdentityFromPeer(peer *peer.Peer) (*PeerIdentity, error)

PeerIdentityFromPeer loads a PeerIdentity from a peer connection.

type RevocationDB

type RevocationDB struct {
	DB storage.KeyValueStore
}

RevocationDB stores the most recently seen revocation for each nodeID (i.e. nodeID [CA certificate's public key hash] is the key, values is the most recently seen revocation).

func NewRevocationDB

func NewRevocationDB(revocationDBURL string) (*RevocationDB, error)

NewRevocationDB returns a new revocation database given the URL

func (RevocationDB) Close

func (r RevocationDB) Close() error

Close closes the underlying store

func (RevocationDB) Get

func (r RevocationDB) Get(ctx context.Context, chain []*x509.Certificate) (_ *extensions.Revocation, err error)

Get attempts to retrieve the most recent revocation for the given cert chain (the key used in the underlying database is the nodeID of the certificate chain).

func (RevocationDB) List

func (r RevocationDB) List(ctx context.Context) (revs []*extensions.Revocation, err error)

List lists all revocations in the store

func (RevocationDB) Put

func (r RevocationDB) Put(ctx context.Context, chain []*x509.Certificate, revExt pkix.Extension) (err error)

Put stores the most recent revocation for the given cert chain IF the timestamp is newer than the current value (the key used in the underlying database is the nodeID of the certificate chain).

type SetupConfig

type SetupConfig struct {
	CertPath  string `help:"path to the certificate chain for this identity" default:"$IDENTITYDIR/identity.cert"`
	KeyPath   string `help:"path to the private key for this identity" default:"$IDENTITYDIR/identity.key"`
	Overwrite bool   `help:"if true, existing identity certs AND keys will overwritten for" default:"false" setup:"true"`
	Version   string `help:"semantic version of identity storage format" default:"0"`
}

SetupConfig allows you to run a set of Responsibilities with the given identity. You can also just load an Identity from disk.

func (SetupConfig) Create

Create generates and saves a CA using the config

func (SetupConfig) FullConfig

func (is SetupConfig) FullConfig() Config

FullConfig converts a `SetupConfig` to `Config`

func (SetupConfig) Status

func (is SetupConfig) Status() (TLSFilesStatus, error)

Status returns the status of the identity cert/key files for the config

type TLSFilesStatus

type TLSFilesStatus int

TLSFilesStatus is the status of keys

func (TLSFilesStatus) String

func (t TLSFilesStatus) String() string

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL